ZxShell

ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among others. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Advanced Persistent Threat (APT) groups like APT27 and APT20 have used ZXShell, employing spear phishing and strategic web compromises as initial attack vectors. The ZXShell backdoor was previously used by the HiddenLynx/APT17 group. However, since the source code of ZXShell is now publicly available, this does not definitively link these two groups. The malware is also linked to a variety of other malicious tools including China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and more. These tools are used to exfiltrate high-value information and maintain persistent access to sensitive systems over long periods of time. The threat actors in recent campaigns have been observed using an updated version of the ZXShell rootkit, indicating continuous development and enhancement of the malware. ZXShell employs a unique method for communication by hooking the NtWriteFile API and recognizing five different special handle values as commands. It primarily functions as a Remote Administration Tool (RAT), allowing the threat actor to have continuous backdoor access to the compromised machine. Some observed rootkit samples include an embedded variant of the ZXShell backdoor. This, combined with its ability to disable antivirus software, makes ZXShell a formidable threat. Its ongoing use and development underscore the need for robust cybersecurity measures and constant vigilance.